The Job Hunt Trap: Unmasking the PUMA Careers Phishing Campaign

Author: Yevgeni Pak

Introduction

A highly polished phishing campaign impersonating PUMA Careers has been identified targeting job seekers through LinkedIn reconnaissance and AI-assisted social engineering techniques. Unlike traditional low-effort phishing attempts, this operation demonstrates high-quality UI/UX design that closely mimics the official PUMA branding, AI-assisted content generation, multi-stage credential harvesting, realistic recruitment workflows, and infrastructure designed to appear legitimate while remaining disposable for attackers to quickly spin up and down.

While phishing scams are generally known for their use of fear and urgency, this campaign specifically leverages professional recruitment narratives and low-pressure engagement to reduce victim suspicion.

As a note, prior to the publication of this incident, the CyberProof Threat Research team reached out to PUMA directly to inform them of the discovery of the attack. Also, at the time of publication, the fake careers website and credential harvesting infrastructure was still operational. We will continue to provide updates to this campaign as they are observed.

Uncovering the Attack: Initial Detection

The campaign was initially identified by CyberProof Threat Hunters due to an identity mismatch anomaly. The phishing email addressed the victim using their public LinkedIn identity, despite the email account using a different name format. This raised suspicion by the threat hunting team that the threat actor had likely harvested data from LinkedIn to personalize the attack, and that OSINT-based victim profiling was being used.

This human behavioral inconsistency became the primary detection signal.

Figure 1: Initial phishing email – pumacareerorbit[.]com

The phishing attempt began with a professionally written recruitment email impersonating PUMA Careers. Characteristics of the email included fluent English aligned with corporate language for HR correspondence, the lure of a remote senior-level opportunity, the Global Talent Acquisition branding, and the corporate-style signature.

Crucially, the email avoided traditional phishing traps such as urgency, threats or financial pressure, and instead spoke about a remote opportunity for a strategic leadership role, using recognizable terms common to corporate job descriptions to increase credibility. This kind of email leverages the current atmosphere in the employment market, hoping to manipulate thousands of employees who are out of work and looking for their next opportunity.

After investigating further, the threat hunting team found that the domain associated with the email [pumacareerorbit[.]com] had been created just ten days previously, confirming the suspicions that this was a phishing campaign. As seen in the image below, other characteristics of the infrastructure are the registrar Unstoppable Domains Inc, a short TLS certificate of 3 months, Cloudflare hosting, and disposable infrastructure characteristics. The strategy behind naming the domain is also important here; the attacker has not directly spoofed puma.com, but instead has used brand association wording such as career and orbit which are common in recruitment. This reduces the chance of being caught by automated detections and brand enforcement triggers, while keeping the legitimacy of the email for unsuspecting users.

Figure 2: Original message from careers@pumacareerorbit[.]com

Figure 3: Domain and IP information pumacareerorbit[.]com

Engaging with the Attacker: Secondary Portal Infrastructure

To further understand the phishing scam techniques, the CyberProof team engaged with the attacker by replying to the initial phishing email, knowing they could use a sandbox environment to protect themselves from a potential attack.

Figure 4: Automated response pipeline

The response from the automated attack can be seen above, where victims are encouraged to learn more through scheduling a call. At this stage, victims are redirected to: puma.candidatesessionportal[.]com, which has a domain age of ~7 days, and is registered by Gname[.]com Pte. Ltd, also protected by Cloudflare. The TLS certificate has been recently issued, and the site has minimal historical footprint – consistent with a brand phishing site.

Figure 5: Candidate session portal information

This second-stage infrastructure hosts a highly convincing fake careers portal, including fake careers pages, fake job listings, false scheduling workflows, and embedded credential harvesting flows targeting victim credentials.

Notable characteristics of the careers portal are the modern, responsive UI, the professional branding, the realistic typography and layout of the website, embedded videos and media, and multiple fake job listings including “Remote Senior Social Media Manager” and “Remote Growth Marketing Manager”. The website includes a realistic onboarding narrative, includes dynamic modal forms, and even has a Schedule a Call workflow.

The website appears to be heavily AI-assisted or AI-generated, with polished copywriting, coherent design language, and a templated structure which is easily scalable for attackers to rapidly deploy across use cases and verticals.

Figures 6, 7, 8: Fake PUMA careers website components

Borrowing Trust: The Credential Harvesting Workflow

No matter which option the user takes on the careers website, including onboarding forms, contact information requests, social login or fake scheduling workflows, every interaction path will eventually redirect users into credential harvesting flows.

The primary lure observed is an option to “Continue with Facebook”, with a sophisticated fake 0Auth flow that mimics legitimate OAuth onboarding flows commonly seen across SaaS platforms. Characteristics include the fake Facebook login modal, realistic Meta branding, fake security checks, simulated verification delays, an embedded loading screen, references to Arkose Labs, and a truly believable authentication workflow.

Figure 9: Fake Contact Form

Figure 10: Facebook login form

The attacker leverages the transfer of trust from an existing relationship with Facebook and the familiarity with the authentication workflow to reduce the user’s psychological resistance and harvest their credentials.

Figure 11: Wrong credentials pop up – Facebook

Technical Characteristics of the Attack

Observed patterns strongly suggest scalable and rapidly deployable phishing infrastructure:

• Newly registered domains (7–10 days old)
• Cloudflare-protected infrastructure masking origin services
• Short-lived TLS certificates
• Disposable operational windows
• Modular frontend deployment
• Multi-stage domain separation between lure and harvesting flows
• Templated recruitment campaign architecture
• Scalable brand impersonation capability

This infrastructure appears intentionally optimized for rapid deployment at low operational cost, with short campaign lifecycles and easy campaign cloning across multiple brands and industries.

Figure 12: Inspection into developer tools

An inspection into developer tools also revealed a surprisingly organized frontend structure, including:

• Bootstrap-based architecture
• Structured JS/CSS asset hierarchy
• Reusable modal and interaction components
• Custom campaign-specific scripts
• Readable client-side resources
• Staged popup and redirection workflows
• hCaptcha integration
• Client-side form validation logic
• Facebook-themed authentication lure flows

Client-side scripts included functionality for scheduling workflow handling, email validation and transfer between forms, popup orchestration, hCaptcha verification, staged redirects and social-login themed interaction flows.

Example logic observed included FormData collection, fetch(‘captcha.php’), modal state management, credential prefill behavior and interaction gating before redirect stages

Notably, portions of the codebase contained Russian-language developer comments, including references to captcha handling, form submission, popup logic and credential workflow interaction. This does NOT necessarily indicate operational mistakes, as frontend assets are normally exposed to browsers.

However, the overall implementation strongly suggests:

• Rapid template-based deployment
• Reusable phishing framework architecture
• Scalable campaign cloning capability
• Potentially AI-assisted frontend scaffolding
• Operational reuse across multiple phishing campaigns

Rather than a simplistic phishing page, the operation resembled a lightweight SaaS-style frontend deployment designed for scalable social engineering campaigns.

Figure 12: Russian-language developer interaction

While the presence of Russian-language comments alone does not provide attribution, it further suggests the use of a reusable phishing framework or previously developed campaign template rather than a simplistic one-off phishing page.

Key Manipulation Themes of the Attack

It’s interesting to note that the campaign’s effectiveness relied far more on psychological manipulation than technical exploitation. Rather than using fear, urgency, or malware delivery in the initial stages, the attackers leveraged one of the strongest modern emotional triggers in today’s technology industry, namely job insecurity and career uncertainty. There is heavy competition for remote work, and many fear AI-driven workforce disruption and being left behind in a fast-moving workforce.

At a time when headlines are increasingly dominated by discussions around AI replacing white-collar roles, layoffs across the technology sector, hiring freezes and workforce restructuring, the campaign positioned itself as the exact opposite: an unexpected high-quality career opportunity. The victim is presented with a prestigious global brand offering remote employment and career advancement at a time when public discourse is focusing on shrinking opportunities.

Much like real-time marketing campaigns exploit real-time cultural events, trends, and public sentiment, this phishing operation is designed to exploit current workforce anxieties surrounding AI and employment instability, dramatically increasing perceived legitimacy. Key characteristics include:

• Opportunity-based lure: victims are approached with a positive opportunity for career growth, not a security-related request or financial scheme.
• Low urgency: the attacker intentionally avoids panic, threats, deadlines or warnings, significantly reducing psychological resistance and suspicion.
• Familiar corporate workflow: the communication style mirrors legitimate recruiter interactions commonly seen on LinkedIn and corporate hiring platforms, and the attack chain imitates modern enterprise recruitment experiences.
• Seemingly legitimate SaaS onboarding journey: the attacker uses onboarding forms, modal-based workflows and fake 0Auth authentication flows, including hCaptcha validation stages.
• Professional presentation: The polished communication, visual legitimacy of the PUMA brand, consistent branding, and UX quality all help this attack gain trust from its victims.

Key Takeaways and Recommendations for Organizations

This campaign highlights a major shift in modern phishing operations. Historically, phishing relied on poor grammar, simplistic pages and obvious scams. But modern AI-assisted phishing now enables realistic websites, polished branding, dynamic interaction flows, personalized targeting, and scalable multi-stage campaigns. The barrier to entry has collapsed entirely.

A single threat actor can now rapidly generate multiple brand impersonations, localized campaigns, industry-specific lures, and believable SaaS experiences, all with minimal technical skill. The most important detection signal in this campaign was not the use of malware, an alert from antivirus software, a broken TLS or any other obvious phishing indicators. It was simple behavioral inconsistency, identity correlation and contextual awareness, specifically in this case the luck of the mismatch between the identity of the email and the identity of the LinkedIn account, which raised initial suspicion.

This demonstrates a growing reality in modern cybersecurity: Traditional technical indicators alone are becoming insufficient against AI-assisted social engineering operations. Human intuition, behavioral analysis, and contextual awareness are increasingly critical detection layers. Our recommendations fall into three categories, for organizations, security teams and job seekers.

For Organizations:

• Monitor for newly registered domains impersonating corporate brands, especially those combining recruitment, careers, hiring, onboarding, or candidate-related terminology.
• Expand security awareness programs to include recruitment-themed phishing scenarios and fake onboarding workflows.
• Establish clear communication channels for candidates to verify recruitment outreach and interview invitations.
• Implement continuous monitoring for brand abuse, lookalike domains, and fraudulent career portals.
• Consider publishing official recruitment guidance to help candidates distinguish legitimate hiring communications from impersonation attempts.

For Security Teams:

• Treat recruitment-themed phishing campaigns as a growing attack vector rather than a niche threat category.
• Correlate domain age, brand impersonation indicators, and social engineering context when assessing suspicious recruitment activity.
• Monitor for credential harvesting infrastructure that mimics modern SaaS onboarding experiences rather than traditional phishing pages.
• Incorporate behavioral and contextual indicators into detection workflows, as technical indicators alone may not be sufficient for identifying AI-assisted phishing campaigns.
• Review authentication telemetry for users interacting with newly observed recruitment-related domains.

For Job Seekers:

• Verify recruiter outreach through official company career portals and trusted corporate channels.
• Be cautious of recruitment domains that closely resemble legitimate brands but are not owned by the organization.
• Review domain registration age and ownership information when interacting with unfamiliar hiring portals (https://urlscan.io/).
• Avoid using social login providers when engaging with unsolicited recruitment opportunities.
• Pay close attention to contextual inconsistencies, such as identity mismatches, unusual onboarding flows, or recently created domains.

Conclusion

As generative AI continues to lower the barrier to creating convincing websites, content, and onboarding experiences, and attackers can create ecosystems to weaponize user trust at no greater cost than a $20/month LLM subscription, phishing campaigns will continue to shift from using technical deception to relying on psychological credibility.

These techniques are improving hourly. The challenge for defenders is no longer identifying poorly crafted phishing pages or typo squatting attacks, it is recognizing highly convincing experiences designed to feel completely legitimate.

Detecting these campaigns will increasingly depend on contextual awareness, behavioral analysis, and critical thinking rather than visual indicators alone.